Description:
------------
Relates to this Windows specific crash (https://bugs.php.net/bug.php?id=75886) which also happens on *nix when opcache file-caching is used.
If an extension sets its own opcode handlers (via zend_set_user_opcode_handler, in zend_execute.c) then a reference to these will be stored by opcache if the script needs to be (re)cached. The handlers are invoked from zend_vm_execute.h using the zend_user_opcode_handlers array:
ret = zend_user_opcode_handlers[opline->opcode](execute_data);
which was previously set by the calls to zend_set_user_opcode_handler.
When a later process runs without the extension, the handlers are unserialized and invoked using the same mechanism, except that zend_user_opcode_handlers has not been populated and points to null data.
On Windows this also happens without opcache file-caching, to a child process that has been restarted without the extension.
Test script:
---------------
// test.php
<?php
echo "okay\n";
?>
----
Ini: opcache and xdebug enabled
opcache.enable_cli=1
opcache.file_cache=/some/where
opcache.file_cache_only=1
Run: php.exe test.php // Prints "okay"
Ini: As above, but disable xdebug
Run: php.exe test.php // crashes
Actual result:
--------------
PHP 7.2.1 (cli) (built: Feb 7 2018 13:01:16) ( ZTS DEBUG )
Copyright (c) 1997-2017 The PHP Group
Zend Engine v3.2.0, Copyright (c) 1998-2017 Zend Technologies
with Zend OPcache v7.2.1, Copyright (c) 1999-2017, by Zend Technologies
Program received signal SIGSEGV, Segmentation fault.
0x0000000000000000 in ?? ()
#0 0x0000000000000000 in ?? ()
#1 0x00000000007737be in ZEND_USER_OPCODE_SPEC_HANDLER () at /usr/src/Zend/zend_vm_execute.h:1813
#2 0x00000000007fd2f3 in execute_ex (ex=0x7ffff6e1f030) at /usr/src/Zend/zend_vm_execute.h:59815
#3 0x000000000080265a in zend_execute (op_array=0x7ffff6e80300, return_value=0x0) at /usr/src/Zend/zend_vm_execute.h:63763
#4 0x0000000000700aeb in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /usr/src/Zend/zend.c:1496
#5 0x0000000000637684 in php_execute_script (primary_file=0x7fffffffd350) at /usr/src/main/main.c:2590
#6 0x0000000000805458 in do_cli (argc=4, argv=0xc748c0) at /usr/src/sapi/cli/php_cli.c:1011
#7 0x00000000008068ea in main (argc=4, argv=0xc748c0) at /usr/src/sapi/cli/php_cli.c:1404